Now that I’ve taken a fair number of “security analytics” client inquiries (with wildly different meanings of the phase), I can share one emerging pattern: a lot of this newly-found “analytics love” is really old “SIEM hatred” in disguise.
A 101% fictional and slightly over-dramatized conversation goes like this:
- Analyst: you said you wanted security analytics, what specifically do you want?
- Enterprise: I want to collect logs and some other data, correlate, analyze, report.
- Analyst: wait a second … that is called “SIEM”, SIEM does that!
- Enterprise, passive-aggressively: Well, ours doesn’t!!!
- Analyst: have you tried to .. you know… actually use it?
- Enterprise: as a matter of fact, we did – for 5 years! Got anything else to ask?!
Upon some analysis, what emerges is a real problem that consists of the following:
- Lack of resources to write good correlation rules, tune them, refine them and adapt them to changing needs
- A degree of disappointment with out-of-the-box rules (whether traditional or baseline-based) and other SIEM content
- Lack of ability to integrate some of the more useful types of context data (such as IdM/IAM roles and user entitlements, as well as deeper asset data)
- Lack of trust that even well-written rules will let them detect attacker lateral moves, use of stolen/decrypted credentials, prep for data exfil, creating backdoors, etc
- Occasionally, a lack of desire to understand a multitude of their own monitoring use cases, but instead to buy a box for each problem.
So, a few years of such SIEM unhappiness have born a result … UBA. Some vendors’ UBAs are “SIEM add-ons” (since their rely on SIEM for collection, normalization and storage), others are more like a “narrower but smarter SIEM” (since their collect a subset of SIEM logs and maybe other data).
A few can work with DLP and not just a SIEM (as we all know, tuning DLP is often – imagine that! – a bigger pain than tuning a SIEM) in order to create additional insight from SIEM and DLP outputs. As I hypothesize, UBA is where a broader-scope security analytics tooling may eventually emerge.
Now, do you need/want analytics or do you just hate your SIEM?
Blog posts on the security analytics topic:
- Security Analytics – Finally Emerging For Real?
- Why No Security Analytics Market?
- SIEM Real-time and Historical Analytics Collide?
- SIEM Analytics Histories and Lessons
- Big Data for Security Realities – Case 4: Big But Narrowly Used Data
- Big Data Analytics Mindset – What Is It?
- Big Data Analytics for Security: Having a Goal + Exploring
- More On Big Data Security Analytics Readiness
- Broadening Big Data Definition Leads to Security Idiotics!
- 9 Reasons Why Building A Big Data Security Analytics Tool Is Like Building a Flying Car
- “Big Analytics” for Security: A Harbinger or An Outlier?